Current status

2013-08-16: It is possible that user interface and encryption key rotation mechanism will not be finished in time for Fedora 20. In that case, the feature will stay hidden and disabled.

2013-10-17: Some time ago we decided to postpone this feature to Fedora 21.

Detailed Description

DNS server integrated to FreeIPA in Fedora 19 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.

Benefit to Fedora

Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled and configured.

User Experience

FreeIPA's user interface will be extended. New options will offer DNSSEC key management for each DNS zone.

Dependencies

FreeIPA packages have to be updated to provide user interface for DNSSEC key management etc. Required changes should be relatively small and isolated. Feature owner is member of FreeIPA team so coordination should be relatively simple.